CVE-2026-11575 in Payment Solutions Plugininfo

Summary

by MITRE • 07/17/2026

The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The PhonePe Payment Solutions WordPress plugin vulnerability represents a critical authentication failure that undermines the security of e-commerce transactions within WordPress environments. This weakness affects versions prior to 310 and stems from improper validation of incoming payment callbacks, creating an avenue for malicious actors to manipulate payment processing workflows. The flaw specifically targets the signature verification mechanism that should ensure only legitimate payment notifications can update order statuses within WooCommerce systems.

The technical implementation of this vulnerability manifests through a fundamental design flaw in the plugin's callback validation logic. When sites are configured using the standard setup flow, the secret key used to validate callback signatures becomes empty or null, rendering the entire authentication process ineffective. This creates a scenario where the expected signature calculation reduces to an unkeyed hash of the request body, eliminating any cryptographic protection that would normally prevent unauthorized modifications. The absence of a proper secret key means that anyone with knowledge of the payment processing endpoint can compute valid-looking signatures for payment success notifications.

The operational impact of this vulnerability extends far beyond simple security concerns, as it directly enables financial fraud and revenue loss for merchants using affected WordPress installations. Attackers can exploit this weakness to forge payment-success notifications that will automatically mark unpaid WooCommerce orders as paid without requiring any actual payment processing. This creates an immediate opportunity for unauthorized individuals to gain access to purchased goods or services while the merchant remains unaware of the fraudulent activity. The vulnerability affects the core payment integrity mechanisms that e-commerce platforms rely upon to maintain trust between buyers and sellers.

This security weakness aligns with several established cybersecurity frameworks, particularly CWE-312 (Sensitive Data Exposure) and CWE-347 (Improper Verification of Cryptographic Signature), which specifically address the dangers of inadequate authentication mechanisms and weak cryptographic implementations. The vulnerability also maps to ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) in its exploitation patterns, as attackers can leverage this weakness to manipulate system states without requiring additional credential compromise. Organizations implementing payment solutions must understand that such vulnerabilities can create cascading effects throughout their entire transaction processing infrastructure.

The recommended mitigation strategy involves immediate upgrade to PhonePe Payment Solutions plugin version 3.1.0 or later, which addresses the empty secret key issue and restores proper signature validation. Additionally, system administrators should implement network-level monitoring to detect unusual payment callback patterns and establish additional verification mechanisms beyond the plugin's built-in security features. Regular security audits of payment processing components are essential to identify similar vulnerabilities that could compromise financial transaction integrity. Organizations should also consider implementing webhook signature validation at multiple layers of their infrastructure to provide defense-in-depth against this class of attack, ensuring that even if one validation mechanism fails, others can still protect against unauthorized payment modifications.

Responsible

WPScan

Reservation

06/08/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!